Home / Companies / Sysdig / Blog / July 2020

July 2020 Summaries

7 posts from Sysdig

Filter
Month: Year:
Post Summaries Back to Blog
Sysdig has introduced a streamlined onboarding process that allows organizations to achieve Kubernetes visibility and security within five minutes by leveraging its SaaS-first approach and enhancements to the Sysdig Secure DevOps Platform. This new release features a guided onboarding process, out-of-the-box dashboards, and a new Sysdig Essentials tier designed to help organizations quickly implement key secure DevOps workflows, such as image scanning, runtime security, compliance, and monitoring. The platform aims to encourage early adoption of security and compliance measures without hindering the development process, thereby enabling faster application deployment. Sysdig's SaaS model offers advantages like reduced complexity, lower costs, and the ability to scale easily, making it an attractive option for organizations transitioning to container and Kubernetes environments. The new Sysdig Essentials tier, combined with a 14-day free trial, provides a cost-effective entry point for companies to enhance their DevOps capabilities with the added benefit of a unified platform that integrates security and monitoring, ultimately improving operational efficiency and facilitating rapid issue resolution.
Jul 27, 2020 1,290 words in the original blog post.
Focusing on five essential workflows for secure DevOps, this text outlines strategies to enhance security, compliance, and monitoring in cloud-native environments, particularly when using containers and Kubernetes. It emphasizes the importance of integrating image scanning for early vulnerability detection, implementing runtime security with a zero-trust approach, and maintaining continuous compliance validation to meet standards like NIST, PCI, and HIPAA. The text also highlights the critical role of monitoring both Kubernetes and cloud services to ensure high availability and performance, advocating for the use of Prometheus for visibility and suggesting tools like PromCat.io for effective monitoring integration. Encouraging automation and adherence to best practices, the text suggests that embedding security and compliance in DevOps processes can improve operational efficiency without slowing down development and recommends leveraging the Sysdig Secure DevOps Platform for further enhancing cloud service performance and security.
Jul 27, 2020 1,663 words in the original blog post.
Instrumenting applications with Prometheus involves a straightforward process for developers to collect and visualize application metrics, even if initially daunting. Starting small, developers can expose metrics over HTTP and use Prometheus to scrape these metrics with minimal configuration, enabling real-time aggregation and analysis through PromQL queries. Basic setup in Java, for example, involves a few lines of code to initialize default exports and start an HTTP server, allowing access to JVM metrics like garbage collection data. However, the true power lies in adding custom metrics relevant to specific applications, achieved with simple code additions that Prometheus's client library manages. Once comfortable with basic instrumentation, developers can explore integrating Prometheus into existing HTTP servers and expanding metrics coverage for more comprehensive monitoring. The Prometheus model, emphasizing decoupled components, allows for flexible, local debugging setups that can scale up for production environments, supported by tools like Sysdig for extensive monitoring needs.
Jul 23, 2020 706 words in the original blog post.
CVE-2020-8557 is a medium-severity vulnerability in Kubernetes that affects the kubelet component, allowing a denial of service (DoS) attack by exploiting the /etc/hosts file in containers. The vulnerability arises because the kubelet eviction manager does not account for the /etc/hosts file when calculating ephemeral storage usage. This oversight can be exploited by writing excessive data to the file, potentially filling the storage space and causing node failure. Falco, an open-source runtime threat detection tool for containers and Kubernetes, can detect exploitation attempts of CVE-2020-8557 by monitoring file write activities in the /etc directory, including the /etc/hosts file. Falco uses customizable rules to generate security events upon detecting abnormal behaviors. To mitigate the threat, an AppArmor profile can be applied to prevent write access to the /etc/hosts file while allowing most other container activities. It is advised to implement this mitigation strategy before upgrading Kubernetes to ensure protection against this vulnerability.
Jul 16, 2020 860 words in the original blog post.
The blog post explores how to effectively monitor AWS Lambda using Sysdig Monitor and Prometheus by leveraging the CloudWatch exporter, enabling a comprehensive view of serverless services. As serverless computing gains traction, AWS Lambda, a Function as a Service (FaaS) resource, necessitates robust monitoring to ensure optimal performance. Prometheus, an open-source monitoring solution, can gather metrics across various cloud services using exporters like the yet-another-cloudwatch-exporter (YACE), which the post details setting up within a Kubernetes environment to collect Lambda metrics from AWS CloudWatch. Key metrics such as errors, concurrency, throttling, latency, and traffic are discussed, along with PromQL queries for alerting on potential issues like configuration errors and performance inefficiencies. The integration process into Sysdig Monitor is described, highlighting the use of dashboards for visualizing Lambda's performance and the importance of optimizing CloudWatch's granularity to manage costs effectively. The post concludes by inviting readers to try this integration and provides resources for further exploration, including dashboards and alerts available on PromCat.io.
Jul 14, 2020 3,330 words in the original blog post.
Monitoring Kubernetes in production environments presents unique challenges compared to traditional server or VM monitoring due to the dynamic and complex nature of containerized applications. Kubernetes, which orchestrates service-oriented applications across clusters, introduces complexities such as increased infrastructure layers, microservices architecture, and high-churn environments. Legacy monitoring tools fall short in providing the necessary visibility and granularity, prompting the need for specialized tools that can handle high cardinality metrics and ephemeral container states. Tools like cAdvisor, Kubernetes metrics server, kube-state-metrics, and Prometheus are essential for building a robust Kubernetes monitoring setup. These tools enable monitoring of clusters, nodes, deployments, and applications, providing insights into resource utilization, application performance, and system health. Prometheus, in particular, has become the de facto standard for Kubernetes monitoring, but scaling it can pose challenges. Sysdig Monitor extends Prometheus capabilities, offering enhanced scalability and security, making it suitable for large-scale environments while maintaining compatibility with existing Prometheus workflows.
Jul 09, 2020 2,318 words in the original blog post.
The text explores best practices for effective alerting in Kubernetes environments, emphasizing the need for a comprehensive monitoring strategy that evolves with container orchestration systems. It highlights the challenges posed by new infrastructure layers, such as containers and orchestrators, microservices architecture, and the increased scale and aggregation requirements inherent in Kubernetes. The article suggests that alerts should be based on symptoms and be actionable to avoid unnecessary disturbances, and discusses specific alerting strategies for different layers of Kubernetes, including the host or node layer, Kubernetes infrastructure, and services running on Kubernetes. It also addresses the importance of leveraging container metadata for metric aggregation and segmentation to accurately monitor and alert on application performance, recommending tools like Sysdig Monitor and Prometheus for implementing these strategies. The conclusion underscores the necessity of a container-native monitoring and alerting system to maintain a reliable infrastructure, while also promoting further learning resources and tools for Kubernetes monitoring.
Jul 09, 2020 2,669 words in the original blog post.